£18bn: the cost of security breaches in the UK

It's bad, it's expensive and it's getting worse

IT security breaches are costing UK businesses up to £18bn every year, according to the latest figures from the DTI. Its research shows that the threat is growing at an alarming rate. Forty four per cent of businesses suffered some kind of security breach in 2001, almost double the figure in 2000. Large businesses suffered worst, with four-fifths reporting some kind of problem, according to the report, which was prepared by PricewaterhouseCoopers (PwC). The average cost of the breaches was £30,000, with some costing over half a million. With 1.35m registered businesses in the UK, this means the total cost nears £20bn. Chris Potter, information security partner at PwC, said: "It is clear security breaches are causing damage in the order of billions of pounds each year. And everyone's estimate is that the situation is only going to get worse." He added: "This just goes to show that the UK's steady adoption of ebusiness comes with a damaging sting in the tail for many businesses." The survey also discovered a change in the source of the most serious threats. Previous surveys have suggested that the biggest threats come within the organisation, but the DTI's research found that more than half of respondents said the biggest threat came from outside their business. This is partly due to the massive increase in viruses last year, by far the single biggest cause of IT security breaches. The survey also found poor use of security technologies for ecommerce transactions. Just 51 per cent of transactional websites encrypt the data when passing it around, leaving the door open for hackers to intercept sensitive information. There also seems to be little support for the government's IT security standard - BS7799 - which has, somewhat perversely, been widely adopted in foreign countries. Only 5.5 per cent of UK businesses are compliant with it, and just 2.7 per cent plan to be within the next year. Aled Miles, managing director, northern Europe for Symantec, which also sponsored the report, said: "Unlike other standards, this hasn't become a necessary part of doing electronic business - no one's saying 'get compliant or we can't do business'. I think many IT departments are scarred after implementing other standards, and then Y2K, and just don't want to spend the money." Launched at this year's InfoSec show this morning, the new research is the DTI's latest survey into IT security in the UK, and gives the most accurate insight into the threat of information security breaches in your business. The DTI surveyed 1,000 people responsible for IT security within their companies. It also includes a set of top 10 guidelines for implementing IT security within your business. For more information see: http://www.security-survey.gov.uk .